My submission to the GitHub Actions x DEV Hackathon 2021!
My Workflow
Policyer is an open-source project (more like a vision) I created after being inspired by policy engines that become very popular lately (OPA,Checkov)
Policyer going to focus on providing a platform to run and create meaningful reports, data engagement and a plugin system to let you provide any data, sometimes it can be k8s YAML and in other cases, it can be user data.
Policyer Action
The policyer-action lets you the option to run policyer as part of your CI process, in my example I'm going to validate GitHub SDK calls.
The provider is like a plugin for policyer engine, it provides the data so the engine can run it against the checks (polciies)
It's important for me to emphasise that Policyer provide a platform, and eventually I will want to see a marketplace full of people custom providers.
The action can use any provider either local or published to NPM (support for private registries is on the way). In my example, I created a simple provider to run GitHub SDK calls.
Example Check:
---
configuration:
provider: github-provider
type: rest
validEvents:
- pull_request
- push
domain: pulls
action: listRequestedReviewers
args:
owner: context.payload.pull_request.base.user.login
repo: context.payload.pull_request.base.repo.name
pull_number: context.payload.pull_request.number
checks:
- id: validate-reviewers
name: check if reviewers exists.
severity: High
steps:
- path: data.users
condition: includes
value: "nirtester"
utility: map
utilityProps:
- "login"
(just a reminder this is a policy example and the GitHub action will evaluate it and output it as a report)
Check flow:
first of all we setup the configuration section where we can provide metadata for the check, in this example I'm asking the provider to do an SDK call:
SDK[pulls][listRequestedReviewers]({
owner: ...pull_request.base.user.login
repo: ...pull_request.base.repo.name
pull_number: ...pull_request.number
})
octokit docsnext, we going to dive into the actual policy, in this policy we want to verify a certain user is a reviewer, so after the call I'm going to point to the "users" array, then use the condition includes ([...users].includes(value)), utilities function by default includes all Lodash functions, you can add custom utilities in the provider level.
I'm going to use the map utility function to prepare an array of reviewers' usernames.the final step is the results:
Submission Category:
Wacky Wildcards
Action YAML
# Add github action file .github/workflows/policyer.yml
name: Policyer
on: [pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Policyer GitHub Action
uses: policyerorg/policyer-action@v0.0.3-alpha
with:
verbose: false
provider: policyer-github
internal: false
checks_path: ./checks
Additional Resources / Info
Visit Policyer for more information this is just the beginning
Packages used
chalk
figlet
jmespath
lodash
moment
yaml
yargs
@actions/core/github